Pages

23 July 2012

SSL/HTTPS - problems with kdb files

I'm active Experts Exchange contributor, and there's this SSL/kdb problem. I indulge myself into publishing my comment to one of the questions (http://www.experts-exchange.com/Networking/Protocols/Application_Protocols/SSL/Q_27794894.html) here (with some edits):

for CMS it is IBM proprietary format (like
LTPA) and is not available in non-IBM JRE/JDKs, BUT I also had this
issue that WAS's JDK could not open CMS (kdb) files - can't really say
why as I did not troubleshoot it. but the workaround that worked for me
was to run ikeyman not from /opt/IBM/WebSphere/AppServ

er/java but
from different WAS package JRE - like UpdateInstaller or
InstallationManager - I'm sure you have either installed on your machine
so try them.
I just now checked how it looks like when running ikeyman from: C:\Program Files (x86)\IBM\WebSphere\AppServer\java\jre\bin
I can operate on CMS files but when running from: C:\Program Files
(x86)\IBM\Java60\jre\bin I can't, so it might be something with
your java paths. If you can't figure it out, try
the workaround I suggested above (UI or IM java)

difference
between kdb and p12 is - at least this is "emiprical" difference
experienced by me - that kdb usually houses many certificates
(signer&personal) for use by applications, whereas p12 is usually
used to carry one certificate from an issuer to the owner (for instance I
get my corporate certificate in p12 from supplier). just "any" java's
keytool or any gsk7 won't be able to open kdb file, it must me somewhere
near ;) WebSphere

if you use kdb file for your IHS, don't forget to indicate your certificate as "default" in the kdb file. I was looking for the way
to set cert alias to use from within httpd.conf file, but it seems to be
impossible

I thought that
IHS uses ONLY kdb database to get certifcates from but I just found that
you may simply supply crt file - PEM encoded (example: http://rimuhosting.com/howto/modssl.jsp)